Kaira
PrivacyTerms

Privacy Policy

Last updated: July 2026 · Published at kairaa.app/privacy

Kaira (“we”, “us”) is operated by the Kaira team. This policy describes how we handle personal data when you use the Kaira mobile app and related services.


1. Who we are

  • Product: Kaira — a 66-day reset app for building habits across six life pillars.
  • Contact: privacy@kairaa.app
  • Primary market: United States (English)

2. Data we collect

Account and profile

  • Email address and display name (via Google Sign In or Sign in with Apple)
  • Authentication identifiers managed by Supabase Auth
  • Profile settings (notification preferences, subscription state)

App activity (structured events only)

  • Screen views, button taps, funnel steps (e.g. onboarding completed, check-in submitted)
  • We do not send journal text, check-in notes, letters, or voice content to analytics tools.

Health and wellness content you create

  • Habit titles, daily check-ins, pact text, letters to your future self, reflections
  • Voice journal audio (stored until you delete it)
  • Stored in Supabase Postgres (text) and Cloudflare R2 (audio)

Device and technical data

  • Push notification tokens (Expo Push)
  • Crash reports and performance data (Sentry)
  • App version, device model, OS version
  • Hashed user identifier for analytics (HMAC — not your raw user ID)

Payments

  • Subscription status, product identifiers, trial dates (RevenueCat + Apple App Store)
  • We do not store full payment card numbers; Apple processes payments.

AI interactions

  • Task type, token counts, model used, cost (Langfuse + our database)
  • Prompts and completions are processed by AI providers (Anthropic, OpenAI, Groq/Fireworks as configured) solely to generate Kaira's responses
  • User-generated content in prompts is not sent to PostHog, Sentry, or BetterStack

3. How we use data

  • Provide and improve the Kaira app (cycles, check-ins, AI moments, push reminders)
  • Authenticate you and secure your account
  • Process subscriptions and trials
  • Send push and local notifications you opt into
  • Monitor app stability and fix bugs (Sentry)
  • Understand product usage in aggregate (PostHog)
  • Monitor uptime of external services (BetterStack)
  • Comply with legal obligations

We do not sell your personal data. We do not use your journal or letter content for advertising.

4. Service providers (subprocessors)

ProviderPurposeData shared
SupabaseDatabase, auth, Edge Functions, RealtimeAccount, app content, structured logs
Cloudflare R2Voice journal audio storageAudio files
GoogleOAuth sign-inEmail, name (if granted)
AppleSign in with Apple, App Store subscriptionsEmail (optional relay), subscription receipts
RevenueCatSubscription managementUser ID, subscription events
SentryError and performance monitoringCrashes, device info (scrubbed of user content)
PostHog (EU cloud)Analytics, feature flags, session replayHashed user ID, events (no user content)
BetterStackUptime monitoringHTTP health checks only
Anthropic / OpenAI / Groq / FireworksAI text generationPrompts containing your context for Kaira responses
LangfuseAI observabilityTraces with hashed user ID, token metrics
Deepgram / OpenAISpeech-to-text for voice journalsAudio transcription (when used)
ExpoPush notification deliveryPush tokens, notification payloads

Data processing agreements (DPAs) will be in place with applicable vendors before public launch.

5. Session replay and masking

PostHog session replay is configured with aggressive masking. Text inputs marked sensitive are masked by default. We review new UI components to avoid capturing private content in replays.

6. Data retention

  • Account and app content: Until you delete your account or specific content
  • Analytics events: Up to 1 year (PostHog)
  • Error logs: Per Sentry retention settings
  • AI traces: Per Langfuse retention; linked via hashed identifier

7. Your rights

Depending on your location, you may have the right to:

  • Access, correct, or delete your personal data
  • Export your data
  • Object to or restrict certain processing
  • Withdraw consent where processing is consent-based

Account deletion: Use in-app settings (when available) or contact privacy@kairaa.app. Our delete-user-data process removes Postgres rows, R2 audio, and requests deletion from PostHog, Sentry, RevenueCat, and Langfuse where applicable.

8. Security

  • Row Level Security on all user tables in Supabase
  • TLS in transit; encryption at rest with cloud providers
  • Internal cron jobs protected by server-side secrets
  • No storage of payment card details in our database

9. Children

Kaira is not directed at children under 13 (or 16 in the EEA). We do not knowingly collect data from children.

10. International transfers

Primary infrastructure is in the United States (Supabase us-east-1). PostHog analytics uses EU hosting where configured. Transfers rely on standard contractual clauses or equivalent safeguards where required.

11. Changes

We will update this policy before material changes take effect and revise the “Last updated” date. Continued use after changes constitutes acceptance where permitted by law.

12. Contact

Questions about this policy: privacy@kairaa.app

© 2026 Kaira
Privacy PolicyTerms of Serviceprivacy@kairaa.app